K8S二进制安装方式（calico）模式添加node

1. 签发证书

   # ca.pem, ca-key.pem ca-config.json 是原始签发的ca根证书，和json根
   # kubelet-csr.json 现在是统一做一个统一证书，以后可不用重复签发
   # cat kubelet-csr.json
   {
     "CN": "system:node",
     "hosts": [
       "127.0.0.1",
       "192.168.2.3",
       "192.168.2.4",
       "192.168.2.5",
       .....# 中间是遍历了所有网段的ip地址，这里不可以写网段
       .....
       "192.168.3.249",
       "192.168.3.250",
       "192.168.3.251",
       "192.168.3.252",
       "192.168.3.253"
     ],
     "key": {
       "algo": "rsa",
       "size": 2048
     },
     "names": [
       {
         "C": "CN",
         "ST": "HangZhou",
         "L": "XS",
         "O": "system:nodes",
         "OU": "System"
       }
     ]
   }
   
   cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubelet-csr.json |cfssljson -bare kubelet
   

2. 生成kubelet.kubeconfig 凭证

   1）set-cluster
   kubectl config set-cluster myk8s 
     --certificate-authority=/etc/kubernetes/ssl/ca.pem 
     --embed-certs=true 
     --server=https://127.0.0.1:6443 
     --kubeconfig=kubelet.kubeconfig
     
   #连接apiserver的
   2) set-credentials
   kubectl config set-credentials k8s-node 
    --client-certificate=/application/kubernetes/ssl/kubernetes.pem 
    --client-key=/application/kubernetes/ssl/kubernetes-key.pem 
    --embed-certs=true 
    --kubeconfig=kubelet.kubeconfig 
    
    
   3) set-context 
    
   kubectl config set-context myk8s-context 
     --cluster=myk8s 
     --user=k8s-node 
     --kubeconfig=kubelet.kubeconfig
     
     
   4) use-context
   kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig
   

3. 配置kubelet的rbac权限

   # 下面2个都要运行，以前的一套为kubernetes，现在新创建的为k8s-node,以后统一使用K8S-node
   
   # cat kubernetes.yaml 
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: k8s-node
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: system:node
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: kubernetes
   
   # cat k8s-node.yaml 
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: k8s-node
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: system:node
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: k8s-node
   

4. kube-proxy.kubeconfig不需要每个node都配置，使用原先的

5. 配置nginx 代理api-serser

   cat /etc/nginx/nginx.conf  #1.20需要另外安装stream模块
   ...
   stream {
          upstream apiserver_6443 {
           server 192.168.2.91:6443;
           server 192.168.2.92:6443;
           server 192.168.2.93:6443;
       }
   
           server {
           listen 6443;
           proxy_pass apiserver_6443;
       }
   }
   nginx -t 
   systemctl reload nginx 
   

6. 配置ssh信任

   ssh-copy-id -i ~/.ssh/id_rsa.pub xxxx   #node8
   

7. 将一系列文件拷贝至新node

   cd /etc/
   scp -r kubernetes/ node8:/etc/
   scp kubelet.kubeconfig node8:/etc/kubernetes/
   scp -r /etc/systemd/system/kubelet.service node8:/etc/systemd/system
   scp -r /etc/systemd/system/kube-proxy.service node8:/etc/systemd/system
   scp -r /var/lib/kubelet node8:/var/lib/
   scp -r /var/lib/kube-proxy/ node8:/var/lib/
   scp -r /etc/calico/ node8:/etc/
   scp -r /etc/cni/ node8:/etc/
   scp -r /etc/calico/ node8:/etc/
   
   

8. 登录node8中，修改kubelet和kube-proxy的配置文件

   #修改成对应的ip地址
   略
   #hostname 不带特殊字符和_
   

9. 安装docker

   略
   

10. 启动kubelet和kube-proxy

​